3/17/2022 8:26 PM, Mickaël Salaün пишет:
On 17/03/2022 14:01, Konstantin Meskhidze wrote:
3/15/2022 8:02 PM, Mickaël Salaün пишет:
Hi Konstantin,
This series looks good! Thanks for the split in multiple patches.
Thanks. I follow your recommendations.
On 09/03/2022 14:44, Konstantin Meskhidze wrote:
Hi,
This is a new V4 bunch of RFC patches related to Landlock LSM
network confinement.
It brings deep refactirong and commit splitting of previous version V3.
Also added additional selftests.
This patch series can be applied on top of v5.17-rc3.
All test were run in QEMU evironment and compiled with
-static flag.
1. network_test: 9/9 tests passed.
I get a kernel warning running the network tests.
What kind of warning? Can you provide it please?
You really need to get a setup that gives you such kernel warning. When
running network_test you should get:
WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218
insert_rule+0x220/0x270
Before sending new patches, please make sure you're able to catch such
issues.
2. base_test: 8/8 tests passed.
3. fs_test: 46/46 tests passed.
4. ptrace_test: 4/8 tests passed.
Does your test machine use Yama? That would explain the 4/8. You can
disable it with the appropriate sysctl.
Can you answer this question?
Tests were also launched for Landlock version without
v4 patch:
1. base_test: 8/8 tests passed.
2. fs_test: 46/46 tests passed.
3. ptrace_test: 4/8 tests passed.
Could not provide test coverage cause had problems with tests
on VM (no -static flag the tests compiling, no v4 patch applied):
Hi, Mickaёl!
I tried to get base test coverage without v4 patch applied.
1. Kernel configuration :
- CONFIG_DEBUG_FS=y
- CONFIG_GCOV_KERNEL=y
- CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
2. Added GCOV_PROFILE := y in security/landlock/Makefile
3. Compiled kernel and rebooted VM with the new one.
4. Run landlock selftests as root user:
$ cd tools/testing/selftests/landlock
$ ./base_test
$ ./fs_test
$ ./ptrace_test
5. Copied GCOV data to some folder :
$ cp -r
/sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ /gcov-before
$ cd /gcov-before
$ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info
I got the next result:
" Capturing coverage data from ./landlock
Found gcov version: 9.4.0
Using intermediate gcov format
Scanning ./landlock for .gcda files ...
Found 7 data files in ./landlock
Processing landlock/setup.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/setup.gcda:cannot open
data file, assuming not executed
Processing landlock/object.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/object.gcda:cannot open
data file, assuming not executed
Processing landlock/cred.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/cred.gcda:cannot open
data file, assuming not executed
Processing landlock/ruleset.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/ruleset.gcda:cannot open
data file, assuming not executed
Processing landlock/syscalls.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/syscalls.gcda:cannot open
data file, assuming not executed
Processing landlock/fs.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/fs.gcda:cannot open data
file, assuming not executed
Processing landlock/ptrace.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/ptrace.gcda:cannot open
data file, assuming not executed
Finished .info-file creation
Reading data file lcov.info
Found 38 entries.
Found common filename prefix "/home/kmeskhidze/work/src/linux_5.13_landlock"
Writing .css and .png files.
Generating output.
Processing file arch/x86/include/asm/atomic64_64.h
Processing file arch/x86/include/asm/bitops.h
Processing file arch/x86/include/asm/atomic.h
Processing file arch/x86/include/asm/current.h
Processing file include/asm-generic/getorder.h
Processing file include/asm-generic/bitops/instrumented-non-atomic.h
Processing file include/linux/fs.h
Processing file include/linux/refcount.h
Processing file include/linux/kernel.h
Processing file include/linux/list.h
Processing file include/linux/sched.h
Processing file include/linux/overflow.h
Processing file include/linux/dcache.h
Processing file include/linux/spinlock.h
Processing file include/linux/file.h
Processing file include/linux/rcupdate.h
Processing file include/linux/err.h
Processing file include/linux/workqueue.h
Processing file include/linux/fortify-string.h
Processing file include/linux/slab.h
Processing file include/linux/instrumented.h
Processing file include/linux/uaccess.h
Processing file include/linux/thread_info.h
Processing file include/linux/rbtree.h
Processing file include/linux/log2.h
Processing file include/linux/atomic/atomic-instrumented.h
Processing file include/linux/atomic/atomic-long.h
Processing file security/landlock/fs.c
Processing file security/landlock/ruleset.h
Processing file security/landlock/ruleset.c
Processing file security/landlock/ptrace.c
Processing file security/landlock/object.h
Processing file security/landlock/syscalls.c
Processing file security/landlock/setup.c
Processing file security/landlock/cred.c
Processing file security/landlock/object.c
Processing file security/landlock/fs.h
Processing file security/landlock/cred.h
Writing directory view page.
Overall coverage rate:
lines......: 0.0% (0 of 937 lines)
functions..: 0.0% (0 of 67 functions) "
Looks like .gcda files were not executed.
Maybe I did miss something. Any thoughts?
You can build statically-linked tests with:
make -C tools/testing/selftests/landlock CFLAGS=-static
Ok. I will try. Thanks.
1. base_test: 7/8 tests passed.
Error:
# Starting 8 tests from 1 test cases.
# RUN global.inconsistent_attr ...
# base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
This looks like a bug in the syscall argument checks.
This bug I just get when don't use -static option. With -static
base test passes 8/8.
Weird, I'd like to know what is the cause of this issue. What disto and
version do you use as host and guest VM? Do you have some warning when
compiling?
.
